IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

International Journal of Research in Information Technology (IJRIT) www.ijrit.com

ISSN 2001-5569

Design of a High Speed FPGA Network Intrusion Detection System #1 #2

Sandeep Naik R #1, Prashanth Barla 2 E&CE Department, Srinivas Institute Of Technology,Valachil Mangalore, 574143 1

[email protected] [email protected] 2 [email protected]

Abstract—Security of today’s networks heavily relies on Network Intrusion Detection Systems (NIDSs). An important issue is how to scale FPGA-based NIDS implementations to ever faster network links. Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousand rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the rule set of the well known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages.

KEY WORDS— Deep Packet Inspection, FPGA, Intrusion Detection System, Snort, String matching, Traffic awareness I. INTRODUCTION A NIDS is a system that analyzes the traffic crossing the network, classifies packets according to header, content, or pattern matching, and further inspects payload information with respect to content/regular-expression matching rules for detecting the occurrence of anomalies or attacks. The demand for network security and protection against Threats and attacks is ever increasing, due to the widespread diffusion of network connectivity and the higher risks brought about by a new generation of Internet threats. Intrusion detection systems (IDS) collect data from the IT infrastructure and analyze it to try to identify ongoing attacks. Various IDS types have been proposed in the past two decades and commercial o_-the-shelf (COTS) IDS products have found their way into Security Operations Centers (SOC) of many large organizations. Nonetheless, the usefulness of singlesource IDS has remained relatively limited due to two main factors: their inability to detect new types of attacks (for which new detection rules or training data are unavailable) and the often very high rate of false positives. Software based NIDS, such as the widely employed software implementation of the Snort NIDS, cannot sustain the multi Gbits/sec traffic rates typical of network backbones, and thus are confined to be used in relatively small scale (edge) networks. For high speed network links, hardware-based NIDS solutions appear to be a more realistic choice, but the hardware implementation needs to permit the frequent update of the supported rule set, so as to cope with the continuous emergence of new different types of network intrusion threats and attacks. Field Programmable Gate Arrays are thus appealing candidates. Indeed, an FPGA-based NIDS can be easily and dynamically reprogrammed when the content-matching rules change. Moreover, current FPGA devices are capable to provide a very high processing capability, and support high speed interfaces.

Sandeep Naik R,IJRIT

1

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

FPGA for 100 Gbits/sec processing are available and for 400 Gbits/sec are forthcoming. However, such an increase in the traffic collection ability is not matched with a comparable scaling of the device frequency. Indeed, logic resources still operate with frequencies in the order of “just” hundreds of MHz; for instance a frequency of 500 MHz, that is achievable only by last generation FPGA devices, can process 8-bit characters at “only” 4 Gbits/sec. .

II. IMPLEMENTATION OF STRING MATCHING CIRCUITS A string matching circuit can be implemented using character comparators (realized with a combinatorial network) and shift registers storing the most recent characters. For example, a decoded structure is proposed, which allows sharing of the comparators in the combinatorial network. While increasing the number of registers, this structure permits to minimize the combinatorial network, if the number of string to be search is large enough. Starting from the basic string matching circuit (Fig 1), we extended it with counters and comparators to support the more specific and complex rules specified by Snort. Specifically, we deployed a global counter and a number of dedicated registers tracking partial matches. This extension allows an easy hardware implementation of the typical Snort rules, which usually are expressed in the form of content + modifiers, where • Content: fixed pattern to be searched in the packets payload of a flow. If the pattern is contained anywhere within the packets payload, the test is successful and the other rule options tests are performed. A content keyword pattern may be composed of a mix of text and binary data. Most of the rules have multiple contents. • Modifiers: they identify a location in which a content is searched inside the payload. This location can be absolute (defined with respect to the start of the flow) or relative to the matching of a previous content.

Fig. 1. Basic implementation of the string matching circuit Fig. 2 shows an example of a rule matched exploiting the extended content matching approach. The rule to be matched is composed of two contents “ab” and “cde” that must be at a distance less than 10 bytes. The first part of this rule, i.e. the match of the content “ab” is performed by the two inputs AND gate. When the content is matched, the value of the global counter is stored in a register. Now, when the second content is matched, the system also checks if the difference between the global counter and the value stored in the register is less than ten bytes. This extension is resource consuming because a register and a comparator must be instantiated for each part in which the rule is decomposed. The resource occupation of this block depends on the number of rules implemented.

Sandeep Naik R,IJRIT

2

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

a)

b) Fig 2 Implementation of a rule composed of two contents: a)first content Matching b) second content matching and distance check An alternative implementation of a string matching engine is to rely on a DFA based structure, like the one presented in Fig. 2. This structure shares, with the previous one, the use of a character comparator, followed by some AND gates. The difference is that here, registers (and therefore the state) do not store the last transmitted characters, or the result of their decoding, but an intermediate result that tracks the partial matching of the transmitted characters. In particular, in the example in Fig. 2 the flipflop labeled F1 stores the matching of a, while F2 stores the matching of “ab”. Note that the number of register elements grows with the number of strings to be searched for, and with the number of characters of each string.as shown in fig 3

Fig. 3. DFA implementation of the string matching circuit

III OVERALL SYSTEM ARCHITECTURE As anticipated in the introduction, System comprises multiple string matching modules. These are further organized into clusters, suitably sized so as to sustain the expected per-cluster traffic load. Packets are balanced across clusters on the basis of policies implemented in a block called dispatcher. The overall system architecture is shown in Fig.4

Sandeep Naik R,IJRIT

3

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

Fig 4 Proposed overall system architecture • • •



network interface - it collects packets from the network link under monitoring; dispatcher - it provides a header-based packet classification, whose result is used to determine to which specific string matching cluster the packet is transmitted; string matching engines - blocks performing string matching; their design is identical (as described in the previous section), but the content searching rules synthesized in string matching engines belonging to different clusters differ and specifically depend on the type of traffic routed to the considered cluster; A generic string matching system is composed of n cluster, each one clocked at a specific frequency fi and composed of Ki identical SMEs. Queue manager - this block provides a queue for each SME cluster. The queue provides the buffering of packets to cope with packet bursts. The queues can be realized by using external memories to provide enough space. The memory can be partitioned as a set of circular buffers, each one controlled by two pointers. A control FSM, realizing a roundrobin policy allows using the memory as a set of independent queues. Since the SME cluster may be clocked with a different frequency, with respect to each other and to the queue manager, asynchronous FIFOs for clock decoupling are deployed between the queue and the SMEs.

Since, multi-byte string matching engines do complicate the internal design, the queue output uses 8 bits. Conversely, the interfaces between the remaining modules can be implemented using multiple characters at a time. For example, if the network interface is the 10 Gigabit ethernet core of Xilinx [34], that provides a 64 bits interface working atf0=156.25 MHz, the data width will be 64 (N=64 bits), and the operating frequency of the dispatcher will be f0. The resulting operation in fact depends on a configuration setting which includes the following decisions and parameters: • Dispatcher classification policy; • String matching rules loaded over each cluster of engines; • Operating frequency of each cluster; • Number of string matching engines deployed in every cluster.

IV. IMPLEMENTATION AND TESTING The FPGA that is used for the implementation of the circuit is the Xilinx Spartan 3E (Family), XC3S500 / XC3S1600 (Device), FG320 / FG484 (Package), -5 (Speed Grade). The working environment/tool for the design is Xilinx ISE 9.2i.

Sandeep Naik R,IJRIT

4

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

Fig 5 NIDS based FPGA kit The Spartan-3E Starter Kit board highlights the unique features of the Spartan-3E FPGA family and provides a convenient development board for embedded processing applications. The board implements the design and verifies that it meets the timing constraints after check syntax and synthesis.

V. CONCLUSION Strategic placement of the monitoring systems is crucial. If you are trying to capture traffic local to your network, you may be missing it if you put it at the network's border. Likewise if you only have one monitoring system, and more than one connection linking your local area network to external networks. One important network device you should be mindful of when selecting the optimal placement of your IDS or IPS is a Virtual Private Network (VPN) concentrator. As traffic travels through a VPN tunnel, it is encrypted and the IDS will not be capable of conducting adequate analysis. There are a variety of opportunities for future work in this area. First, this NIDS work can be improved upon by considering techniques by which intrusion detection information captured at one network point can be shared with other interested parties or devices. The PowerPC processor would serve as a good processing substrate for coordinating the distribution of this information. Another avenue of investigation for this work involves an exploration of how high-capacity FPGAs can be better leveraged in a large-scale NIDS. Our experiments indicate that current FPGAs are large enough to house very large rule sets. However, compiling these circuits is very time consuming, taking as long as two days to complete on state-of-the-art workstations. These compilation times and clock speeds can be improved with better floor-planning. Therefore, the next step in this work will involve refining how placement information is added to the ID cores when the pattern matching circuitry is generated. Finally, this work can be improved upon by considering methods in which an FPGA-based NIDS is incrementally updated with new patterns over time. In our current approach, the NIDS must be taken offline briefly and reconfigured whenever rule updates need to be applied. Because updates are infrequent and require only a few seconds of downtime, this approach is acceptable for many applications. However, if high availability is required, partial reconfiguration techniques are potential solutions. With partial reconfiguration, the NI units would buffer incoming messages while the ID unit is updated with new circuitry. REFERENCES [1] P. Borgnat, G. Dewaele, K. Fukuda, P. Abry, K. Cho, “Seven years and one day: Sketching the evolution of internet traffic”, in Proc. Of the Twenty-Eight Annual Joint Conference of the IEEE Computer and Communications, INFOCOM 2009, pp. 711719. [2] A.V. Aho, M.J. Corasick,“Efficient String Matching: An Aid to Bibliographic Search”, Communications of ACM, Vol. 18 n. 6, June 1975

Sandeep Naik R,IJRIT

5

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 6, June 2014, Pg: 01-06

[3] J. Bispo, I. Sourdis, J. Cardoso, S. Vassiliadis, “Synthesis of Regular Expressions Targeting FPGAs: Current Status and Open Issues”, in Proc. of the 3rd international conference on Reconfigurable computing: architectures, tools and applications, ARC 2007, Springer-Verlag. [4] Sourcefire, “Snort: The Open Source Network Intrusion Detection System”, available at http://www.snort.org. [5] S. Teofili, E. Nobile, S. Pontarelli, G. Bianchi, “IDS Rules Adaptation for Packets Pre-filtering in Gbps Line Rates”, in Trustworthy Internet, pp. 303–316, Springer, 2011. [6] Sourdis, V. Dimopoulos, D. Pnevmatikatos and S. Vassiliadis, “Packet Pre-filtering for Network Intrusion Detection”, in 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2006, pp. 183-192.

Sandeep Naik R,IJRIT

6

Design of a High Speed FPGA Network Intrusion ...

Software based NIDS, such as the widely employed software implementation of the Snort NIDS, cannot sustain ... combinatorial network, if the number of string to be search is large enough. ... A content keyword pattern may be composed of a.

766KB Sizes 0 Downloads 196 Views

Recommend Documents

High-speed network of independently linked nodes
Dec 22, 2005 - Management a. 394. 386. 388 ... ties also communicate over much smaller-scale networks, such as .... business, or other type of communicating station on the NAN. ... In one embodiment NAN software operates on the server,.

High Speed Wavelet Based FIR Filter Architecture on FPGA Platform ...
This paper presents a new architecture for high speed implementation of wavelet based FIR filter on FPGA. ... Several traditional computer hardware platforms can be considered for processing .... A fixed point data of only 18 bits is used which.

High Speed Wavelet Based FIR Filter Architecture on FPGA ... - IJRIT
Abstract. This paper presents a new architecture for high speed implementation of wavelet based FIR filter on FPGA. The proposed architecture presents the ...

design of high speed impellers
Keywords: Rotating disk, Variational method, Plastic limit, Burst speed, Yield criteria ... solid disk systems, and obtained the burst speed for impending failure.

High-Speed Network Modeling For Full System ...
to fine-tune hardware and software and can be particularly important in those ... extract an analytical representation of the workload that is common in many ...

A Review on Neural Network Implementation Using FPGA
Implementation method with resource/speed tradeoff is proposed to handle signed ... negative value for a weight indicates an inhibitory connection while a ..... Derivative using Back Gate Effect”, VLSI Design and Test Workshop-2003, pp.

pdf-90\high-speed-networking-a-systematic-approach-to-high ...
Page 1 of 11. HIGH-SPEED NETWORKING: A. SYSTEMATIC APPROACH TO HIGH- BANDWIDTH LOW-LATENCY. COMMUNICATION BY JAMES P. G.. STERBENZ, JOSEPH D. TOUCH. DOWNLOAD EBOOK : HIGH-SPEED NETWORKING: A SYSTEMATIC. APPROACH TO HIGH-BANDWIDTH LOW-LATENCY ...

pdf-90\high-speed-networking-a-systematic-approach-to-high ...
There was a problem loading more pages. pdf-90\high-speed-networking-a-systematic-approach-t ... mmunication-by-james-p-g-sterbenz-joseph-d-touch.pdf.

Dependable Security: Testing Network Intrusion ...
SIGCOMM Conference on Internet Measurement, pages 27. – 40, Taormina, Sicily, Italy, October 2004. [13] Vern Paxson. Bro: A system for detecting network.